Increased Smartphone Attacks Create New Fraud Risk

The increase in cyberattacks on mobile smartphones in 2004 — with exploits surging dramatically in the last 30 days — promises a new wave of fraudulent billing and deleted or stolen user information, according to a Finnish security firm.

Helsinki-based antivirus provider F-Secure warned against a new wave of "false billing, unwanted disclosure of stored information, and deleted or stolen user data," driven by a steep increase in computer viruses and "Trojan horse" programs that target mobile devices.

In addition to the dangers posed by "trojanized" programs — including games, screensavers, and other applications — security experts warn that infections can also enter mobile devices via Bluetooth or Internet connections. Mobile phones running the widely used Symbian operating system — including devices manufactured by such popular phone makers as Nokia — have been a particular target. The Symbian OS is currently used by more than 20 million mobile phones worldwide.

The past month has seen a sudden increase in smartphone attacks, with at least eight new exploits discovered since 19 November. Of these, five are variant forms of the Cabir worm and three are variants of Skulls, a trojan that replaces mobile phone display icons with images of human skulls.

The rapid increase in exploits indicates that virus writers now consider smartphones an intriguing target — one that will certainly become even more interesting as e-commerce and bill payment via smartphone become more common. Furthermore, as mobile phone standards converge, globe-trotting travelers with infected devices are spreading smartphone viruses from one continent to another with increasing ease. When used in e-commerce transactions, these infected phones will expose users to the threat of identity theft and fraud — just as Internet-connected computers hit by the phishing and spyware epidemics do today.

A statement from Finnish security firm F-Secure warned: "In the future, it is likely that we will also see new kinds of attacks: trojan horses in games, screensavers and other applications — resulting in false billing, unwanted disclosure of stored information, and deleted or stolen user data."

The following timeline gives a sense of the stepped-up pace of mobile phone attacks:

• Spring 2004: A trojanized game called "Mosquitos" secretly sends messages to expensive toll numbers at the user's expense.
• 15 June 2004: The Cabir worm replicates over-the-air via Bluetooth connections.
• 16 June 2004: Cabir.B, a variation on the Cabir worm, is discovered. Cabir.B, which began spreading in the wild in autumn 2004, continues to spread today. To date, it has been detected in China, India, Turkey, the Philippines, and Finland.
• 19 November 2004: The Skulls.A trojan replaces icons on the phone with skull images, making the phone almost useless.
• 29 November 2004: Skulls.B is discovered.
• 9 December 2004: Cabir.C is discovered.
• 9 December 2004: Cabir.D is discovered.
• 9 December 2004: Cabir.E is discovered.
• 21 December 2004: Skulls.C is discovered.
• 21 December 2004: Cabir.F is discovered.
• 21 December 2004: Cabir.G is discovered.
• 21 December 2004: The METAL Gear.a trojan encourages users to download and install it by masquerading as the popular mobile phone game Metal Gear Solid.

The most recent in this new wave of exploits, the trojan METAL Gear.a, targets mobile devices using the Symbian operating system. When run, it installs Skulls and Cabir variants and tries to disable antivirus and file-browsing products installed on the device — thus making the device extremely difficult for the user to repair. In addition, METAL Gear.a also makes a file called SEXXXY.sis available to any Bluetooth phones that happen to be within range; if the user of a nearby phone accepts that file, it will disable that phone's application selection button.

In response to the increase in smartphone exploits, antivirus and security firms like F-Secure, Symantec, and Trend Micro have rolled out products specifically designed to protect mobile devices.